npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

secretguard

v0.2.1

Published

Scan source code for secrets, credentials, and PII

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

chintanshah35chintanshah35

Keywords

securitysecret-scanningpiicredentialsdevsecopscli

Readme

secretguard

Scan your source code for secrets, credentials, and PII before they reach production.

npx secretguard .

Exits with code 1 if any CRITICAL findings are detected — drop it into your CI pipeline and it just works.

What it detects

30 patterns across credentials and PII, grouped by severity.

Credentials — CRITICAL

  • AWS access keys (AKIA...) and secret keys
  • OpenAI API keys (sk-...)
  • Anthropic API keys (sk-ant-...)
  • GitHub tokens (ghp_, ghs_, gho_, github_pat_)
  • GitLab personal access tokens (glpat-)
  • Slack bot and user tokens (xoxb-, xoxp-)
  • SendGrid API keys (SG.)
  • npm access tokens (npm_)
  • Stripe live secret keys (sk_live_)
  • Twilio auth tokens
  • Database URLs (PostgreSQL, MySQL, MongoDB — credentials in URL)
  • RSA, EC, OpenSSH, and PGP private keys

Credentials — HIGH

  • JWT tokens
  • Stripe live publishable keys (pk_live_)
  • Google API keys (AIzaSy...)
  • Twilio Account SIDs
  • Generic API keys (high-entropy strings assigned to api_key, API_KEY, etc.)

PII — CRITICAL

  • Social Security Numbers (SSN)
  • Credit card numbers (Visa, Mastercard, Amex, Discover)

PII — MEDIUM

  • Email addresses
  • US and international phone numbers

PII — LOW

  • Public IPv4 addresses (private ranges excluded)

All findings are shown masked in output — raw secrets are never printed.

PII and false positives

PII scanning is tuned for production source, not test fixtures.

Skipped in test-like paths — email, phone, SSN, credit card, and public IP patterns do not run in:

  • *.test.*, *.spec.*
  • __tests__/, __mocks__/
  • fixtures/, mocks/, stubs/

Filtered fake values — in other files, obvious placeholders are ignored (e.g. [email protected], [email protected], US 555- numbers, all-same-digit phones).

Credentials are always scanned — API keys and tokens in test files are still reported. A real ghp_ or sk_live_ in a test is still a leak risk.

Install

npm install -g secretguard

Or use without installing:

npx secretguard .

Usage

# Scan current directory
secretguard .

# Scan a specific path
secretguard ./src

# Ignore additional paths (repeatable, -i shorthand works too)
secretguard . --ignore tests --ignore fixtures
secretguard . -i tests -i fixtures

# Output as JSON
secretguard . --json

# Save HTML report (-o shorthand works too)
secretguard . --output report.html
secretguard . -o report.html

# Combine flags
secretguard . -i tests --json

Defaults

The following paths are ignored automatically — no configuration needed:

node_modules  .git  dist  build  coverage
.next  .nuxt  .turbo  .cache  vendor  __pycache__  .venv

Binary files (images, PDFs, archives, compiled binaries) are skipped automatically.

CI/CD

# GitHub Actions
- name: Scan for secrets and PII
  run: npx secretguard . --ignore tests
# Pre-commit hook (in .git/hooks/pre-commit)
secretguard . && git commit

The exit code is 0 when no CRITICAL findings are detected, 1 otherwise. This makes it straightforward to block CI on real secrets while still reporting HIGH/MEDIUM findings.

Output formats

Terminal (default) — colored output, grouped by severity (CRITICAL first), values masked

JSON (--json) — structured output with summary counts, useful for piping to other tools or parsing in scripts

HTML (--output report.html) — shareable self-contained report with a severity summary and full findings table

Programmatic API

import { scan, piiPatterns, credentialPatterns } from 'secretguard'
import type { ScanResult, Finding } from 'secretguard'

// Scan with defaults
const result = await scan('./src')

// Scan with options
const result = await scan('./src', {
  ignore: ['tests', 'fixtures'],
  patterns: [...credentialPatterns],  // credentials only, skip PII
})

console.log(result.findings)  // Finding[]
console.log(result.scanned)   // number of files scanned
console.log(result.duration)  // ms

Requirements

Node.js 18 or later.

License

MIT